So there isn't really any way to be safe against XSS and at the same
time support
all users? Then ignore my "patch", and we should just make it clear
that the data
is in clear-text within the cookie and you must be very careful with
validating the
input.

On Sun, May 25, 2008 at 3:04 PM, Bluebie, Jenna
<[EMAIL PROTECTED]> wrote:
> That's no good, a significant amount of ISP's do not route requests from one
> user to one web host via the same routes on each request, and when they use
> proxy servers, as AOL does, that means every request comes from a different
> IP address, even though it's the same user. Worse still, the IP addresses of
> the proxy server's are located all around the world, so even geolocation
> fails.
>
> Ditch the remote IP check or it wont work at all for a lot of users. I also
> feel 15 minutes is dodgy. I like session cookies, not timed cookies. The
> user closes the browser and the cookie dies, nice and simple. If you want to
> use a timeout, how about something that wont have any real downsides like a
> day or two?
>
> The user agent is probably safe, but some plugins add text to the user
> agent, so if the user upgrades flash for instance, the session is instantly
> voided and unusable as flash's version number will change.
>
> The only one of these which limits usefulness of cookie stealing to
> attackers is the IP check which is totally unusable in the real world
> internet. Timeouts are just annoying and I don't think extremely high
> security apps which would suit 15 minute timeouts are really the target
> audience of Camping.
>
>
> —
> Jenna
>
> On 25/05/2008, at 10:45 PM, Magnus Holm wrote:
>
>> You're absolutely right. Not anymore, though. I fixed in my cs-branch.
>> Now it will save the data in three cookies: camping_blob, camping_hash
>> and camping_time. The secure_blob_hasher includes the remote IP and
>> the user agent, and it has also a timeout on 15 minutes (which can be
>> overridden
>> with @@state_timeout).
>>
>> http://github.com/judofyr/camping/commits/cs
>>
>> On Sun, May 25, 2008 at 5:43 AM, _why <[EMAIL PROTECTED]> wrote:
>>>
>>> On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
>>>>
>>>> * The cookie session is named Camping::Session and is placed in
>>>> camping/session.rb. Maybe this should be called Camping::CookieSession
>>>> or???
>>>
>>> You know, these cookie sessions seem like they could be a problem.
>>> A lot of sessions would contain just the hash and the user name.
>>> So, spoof the user name and you're in, you know?
>>>
>>> _why
>>> _______________________________________________
>>> Camping-list mailing list
>>> Camping-list@rubyforge.org
>>> http://rubyforge.org/mailman/listinfo/camping-list
>>>
>>
>>
>>
>> --
>> Magnus Holm
>> _______________________________________________
>> Camping-list mailing list
>> Camping-list@rubyforge.org
>> http://rubyforge.org/mailman/listinfo/camping-list
>
> _______________________________________________
> Camping-list mailing list
> Camping-list@rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list
>



-- 
Magnus Holm
_______________________________________________
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Reply via email to